Understanding PowerShell’s ExecutionPolicy and Scope functionality — Unblock-File approach
If you get the error below when you attempt to run a PowerShell script it is because PowerShell has a safety feature that is preventing your scripts from running
At https://www.alanbonnici.com/2021/04/understanding-powershells.html is an article that explains how to manage PowerShell’s ExecutionPolicy functionality using the Set-Execution cmdlet. Process, CurrentUser, and LocalMachine are discussed.
Comparing Settings
If you’re following along, it is best to have the ExecutionPolicy settings on your computer match the above; otherwise the outcomes may be different.
Your administrator may block PowerShell functionality using the MachinePolicy or UserPolicy ExecutionPolicy Group Policy settings. If that’s the case, you need to speak to them.
Sample PowerShell Script
At https://github.com/chribonn/PSHelloWorld is the file Say-HelloWorld.ps1. You can use it to follow along with this tutorial. Creating the script on your computer might will not work if the setting is RemoteSigned. This is because this policy only applies to PowerShell files downloaded from external sources.
Unblock using the GUI
Right-click on the PowerShell script, choose properties and check the Unblock option in the Security section of the script’s General tab.
Unblock using PowerShell cmdlet
The Unblock-File cmdlet achieves the same result as described above.
In its simplest form one simply specifies the PowerShell script that should be unblocked.
Unblock-File .\Say-HelloWorld.ps1
As can be observed in the example, Unblock-File takes wildcards allowing you to adjust multiple files in one fell swoop.
Unblock-File can also be used to unblock other download file types that are blocked by the operating system.
Reblock-File
There could be instances in which you unblocked a file that should not have been blocked, or, as happened in my case, I needed a quick way to reenable the blocked state. This can be done using the command below (The stackoverflow.com link to this posting is in the Reblock-HelloWorld.ps1 script in the GitHub repository).
Set-Content .\Say-HelloWorld.ps1 -Stream “Zone.Identifier” -Value “[ZoneTransfer]`nZoneId=3”
There are 5 different Zones:
ZoneId — — — — — — — — — — — — — Details
0 — — — — — — — — — — — — — — — Local machine
1 — — — — — — — — — — — — — — — Local intranet
2 — — — — — — — — — — — — — — — Trusted sites
3 — — — — — — — — — — — — — — — Internet
4 — — — — — — — — — — — — — — — Restricted sites
Conclusion: Safety vs Security
The functionality described in this article and the one that preceded it, are safety settings not security settings. This is because this setting only deals with running a PowerShell script files (extension ps1); and doesn’t block running individual cndlets.
As can be seen in the above terminal capture, while Say-HelloWorld.ps1 would not execute, the (single) cmdlet Write-Host contained within it executed without belling blocked.
